[AppDB] - protect against sql injection in select,
update and delete statements
chmorgan at gmail.com
Sun Jun 25 18:45:49 CDT 2006
Testing once beats testing over and over and over again IMO. I
suspect that if your testing looks good and mine does as well then we
should be ready to go.
I'll fix up moving test results, that should be an easy one, and do
another once over of the patch before comitting it. I'm pretty
confident that it is all set, I've tested submitting notes, comments,
applications, distributions etc here and it looks good.
On 6/25/06, Tony Lambregts <tony.lambregts at gmail.com> wrote:
> Chris Morgan wrote:
> > Protect against sql injection attacks in select, update and delete statements
> > by using query_parameters(). mysql_real_escape_string() is used on variables
> > in cases where using query_parameters() isn't possible due to the complexity
> > of the query. These could potentially be simplified so query_parameters()
> > could be used.
> This patch is quite large and it breaks moving an test results to an
> existing version.
> I had spent a fair amount of time testing this before I found this bug
> and I think that most of it may be OK but as they say "one drop of crap
> in a gallon of wine..."
> Can you submit some smaller chunks of this so that I can test them and
> we get them in. We already have query_parameters() in the code base so
> the simple stuff like addcomment.php is probably good to go. If you
> could submit a patch for just those I would appreciate it.
> Tony Lambregts
More information about the wine-patches